“The Weakest Link”- Insider Foils Underwear Bomb Plot May 8, 2012
Posted by Chris Mark in Risk & Risk Management, terrorism, Uncategorized.Tags: al qaeda, Chris Mark, mark consulting group, operational security, security, terrorism, underwear bomber
add a comment
I have written extensively about the weakest link in any security program being the actual people responsible. While we understand this point from a “good guys” perspective, it is just as true for our adversaries. MSNBC reported today that the underwear bomber who was supposed to blow up a jet liner this month had been working for US and our Allies since day one and was a paid informant. As stated on MSNBC: “An insider who worked with the United States and an allied security service to thwart an al-Qaida bomb plot hatched in Yemen was the man picked to carry out the suicide attack on a U.S.-bound airliner, U.S. and Yemeni officials tell NBC News. An unidentified Yemeni government official, speaking on condition of anonymity, said the supposed suicide bomber was working for Western intelligence “from day one.”
The interesting point of this story is that it does not matter whether we are talking about nuclear facilities, cybersecurity, or counter terrorism, the human element always plays a role and is always the most unpredictable. While the group that sent the man on his suicide mission clearly believed he was a ‘true believer’ willing to give his life for their cause, it appears that he had another agenda. This is the challenge with security. Trust but verify is a mantra that rings true in all aspects of security. Thank goodness the group that tried to blow up the airliner acted on faith and not solid security principles.
“Trust but Verify”- Insider Threats & Intellectual Property Theft February 20, 2012
Posted by Chris Mark in InfoSec & Privacy, Risk & Risk Management.Tags: Chris Mark, corporate espionage, cybersecurity, InfoSec, insider theft, IP Theft, markconsultinggroup.com, operational security, security
add a comment
According to the US Government, intellectual property theft costs the US approximately $250 billion per year. Unfortunately, a large and growing percentage of this theft is due to insiders. The human element of data security is a topic that I have written on numerous times. This article follows one I wrote in August, 2011 titled: Security 101: The Human Element.
I have worked with a number of large (and small) organizations that were very focused on risk management and information security. It is always disheartening when you find that the companies focus solely upon external threats and ignore one of the largest threats to their intellectual property; their own employees. Humans are social creatures. We make friends and we want to be trusted. We also believe in our fellow person. Nobody likes to feel like they are not trusted and consequently, few like to make others feel like they are not trusted. Unfortunately, where data security and the protection of intellectual property is concerned, companies are well advised to adhere to the old adage: “Trust but Verify”.
With increased responsibility often comes increased authority and increased access to sensitive systems, and information. Companies often make the mistake of believing that with increased responsibility comes a decrease in the need to monitor activity. (more…)
Security 101: The Human Element – “Trust but Verify” August 24, 2011
Posted by Chris Mark in InfoSec & Privacy, Risk & Risk Management.Tags: Aegenis, Chris Mark, InfoSec, InfoSec & Privacy, Maritime Security, operational security
1 comment so far
As maritime security becomes more lucrative and companies to steps to stop attacks, it is the natural evolution of crime that the pirates will begin looking for new vulnerabilities to support their efforts. Often the most vulnerable element of any security strategy is the human element. People often provide the proverbial ‘weak link’ in the strategy. Often it is not an intentional act by a person that creates and issue. It could be a simple mistake or the person could be deceived into taking action. While these are common aspects of security today I want to talk about people that take direct action with intentions that are contrary to the organization. It not something that any company likes to consider but it is an unfortunate fact of life. People are rational actors and as such a percentage of any population will be inclined to perform actions that are outside the bounds of what are considered by most to be ethical or moral behavior. This is where the idea of “trust but verify” comes in. We all like each other and we all want to believe that we are all honest people. It is irresponsible however, to simply take people at their word. It is responsible and appropriate given my access to information. It is obvious that with increased responsibility comes increased authority. Often this leads companies to believe that these senior “trusted” individuals do not require the same level of monitoring to which more junior level employees may be subject. This is a serious mistake. Increased responsibility and authority comes with increased access to information. It is often these very employees that can do the greatest damage. I will give an example from my own experience.
Recently through some legal proceedings it was discovered that a former Chief Technology Officer of a company I previously owned had taken steps to download every single employee and contractor’s email to his personal system. When confronted at the proceeding, he admitted he had indeed downloaded very email. He then took a number of steps to hide his actions. His actions were only discovered 2 years later through legal proceedings. He has not divulged why he took such action. It should be noted that in many states in the US this is not only a crime but is a felony. This was not a junior level employee who could plead ignorance. This was a person with a graduate degree in information security who, by his own admission, “defines security and risk”. To say I was apoplectic when I discovered his actions would be an understatement. He not only violated the trust of the company and me personally, but potentially committed a serious crime. The point of this example is to demonstrate the need to “trust but verify” what ALL employees are doing.
Operational security, or OpSec, is increasingly important in a hyper-competitive world. Add to that the new threat of information theft by pirates and those supporting piratical acts and the need to protect your information and assets becomes critical. It is not only the junior level staff that should be monitored and ‘verified’, it is all employees. Anyone with a security clearance is used to the fact that every few years the Gov’t decides to crawl through your life and put you through a polygraph to ensure that you are still ‘trusted’. This is a good example of ‘trust but verify’. When developing a strategy to address information security, and operational security, it is important that all areas of the business are considered and addressed. Often it is a single trusted person that cause irreparable harm to the organization.
Somali Pirates using Blogs and GPS to Hunt Ships June 23, 2011
Posted by Chris Mark in InfoSec & Privacy, Piracy & Maritime Security, Risk & Risk Management.Tags: Chris Mark, InfoSec, InfoSec & Privacy, Maritime Security, operational security, Piracy & Maritime Security, privacy
add a comment
Consistent with industry expectations, Somali pirates are increasingly turning to high technology to hunt high-value ships. According to Techland, pirates are using GPS, as well as social media such as shipping company blogs to identify and hunt ships for attack. According to an article in Fast Company:
“In addition to random attacks on cargo and passenger ships, Somali pirates are increasingly relying on the use of GPS systems, satellite phones, and open-source intelligence such as shipping industry blogs in order to figure out the location of ships. Much of the technological infrastructure used by the pirates is allegedly located in the Somalian city of Eyl, which has been described as the ‘piracy capital of the world.’
It is paramount that shipping companies recognize the new threats and understand that the protection of vessels and their crews extend beyond physical security and armed guards. Ensuring that operational security processes are employed is as important, if not more important, than simply arming ships. A review of the maritime security industry show a distinct lack of expertise in information security.
Global Security, Privacy, & Risk Management 